Wednesday, December 24, 2008
Use SSL in IIS to protect the communication channel between your WCF enabled web application and the web client. SSL protects sensitive data on the network from being stolen or modified.
The following are the steps to configure certificates for Secure Sockets Layer (SSL) communication in IIS.
1. Click Start and then click Run.
2. In the Run dialog box, type inetmgr and then click OK.
3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
4. Right-click Default Web Site and then click Properties.
5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.
7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.
8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.
9. Verify the information on the certificate summary screen, and then click Next.
10. Click Finish to complete the certificate installation.
11. In the Default Web Site Properties dialog box, click OK.
Monday, December 22, 2008
How to Create a Temporary X.509 Certificate for Message Security
Use the following steps to create a temporary X.509 certificate for message security:
1. Create a certificate to act as your Root Certificate Authority
makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer
2. Create a Certificate Revocation List File from the Root Certificate
makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl
3. Install your Root Certificate Authority on the server and client machines. Use MMC to install the RootCATes.cer on client and server machines in the Trusted Root Certification Authorities store
4. Install the Certificate Revocation List file on the server and client machines. Use MMC to install the RootCATes.crl on client and server machines in the Trusted Root Certification Authorities
5. Create and install your temporary service certificate
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer –sr localmachine -ss my -sky exchange -pe
6. Give the WCF Process Identity Access to the Temporary Certificate’s Private Key
7. FindPrivateKey.exe My LocalMachine -n "CN=tempCert"
cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\
/E /G "NT AUTHORITY\NETWORK SERVICE":R
The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey
Wednesday, December 17, 2008
Enquotes a string literal
Encloses a name in double quotes
Returns the value without any checking
Verifies that the input string is a qualified SQL name
Verifies that the input string is an existing schema name
Verifies that the input string is a simple SQL name
Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object
It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.
Ensuring safety of Datetime literal
- Use the two-parameter overload, for an input of datatype date, To_Char(d, Fmt), to compose a SQL datetime literal
- Concatenate one single quote character before the start of this value and one single quote character after its end.
- Assert that the result is safe with DBMS_Assert.Enquote_Literal().
- Compose the date predicate in the SQL statement using the two-parameter overload for To_Date(t, Fmt) and using the identical value for Fmt as was used to compose t.
The procedure p_Safe(), whose first few lines are shown in code below implements this approach. Of course, date is not the only datetime datatype. The same reasoning applies for, for example, a timestamp literal.
procedure p_Safe(d in date) is
q constant varchar2(1) := '''';
-- Choose precision according to purpose.
Fmt constant varchar2(32767) := 'J hh24:mi:ss';
Safe_Date_Literal constant varchar2(32767) :=
Fmt_Literal constant varchar2(32767) := q||Fmt||q;
Safe_Stmt constant varchar2(32767) :=
' insert into t(d) values(To_Date('
|| ', '
execute immediate Safe_Stmt;
Ensuring the safety of a SQL text literal
The rules for composing a safe SQL text literal from a PL/SQL text value:
- Replace each singleton occurrence, within the PL/SQL text value, of the single quote character with two consecutive single quote characters.
- Concatenate one single quote character before the start of the value and one single quote character after the end of the value.
- Assert that the result is safe with DBMS_Assert.Enquote_Literal()
Ensuring the safety of a SQL numeric literal or simple SQL name
The rules for composing a safe SQL numeric literal from a PL/SQL numeric value:
- Use explicit conversion with the To_Char() overload with three formal parameters. This overload requires that a value be supplied for Fmt. Explicitly provide the value that supplies the default when the overload with one formal parameter is used. This is 'TM'. 'TM' is the so-called text minimum number format model. It returns the smallest number of characters possible in fixed notation unless the output exceeds 64 characters.
- Explicitly provide the value that supplies the default for the NLS_Numeric_Characters parameter when the one of the overloads with one or two formal parameters is used. This is '.,'.
- Ensure the safety of the name with DBMS_Assert.Simple_Sql_Name().
Tuesday, December 16, 2008
Use the following steps to determine WCF configuration for a NAT or firewall:
1. Determine the addressability of the service and client machines. If the service or the client are behind a NAT and are not directly addressable then use a technology such as Microsoft Teredo to enable communication.
2. Determine if there are protocol or port constraints on the service or client machines. For example, port 80 may be open through a firewall but other ports may be blocked.
Once you understand the addressability, protocol and port constraints on your service and its clients you can determine service and endpoint configuration. Use the table in the MSDN article “Working with NATS and Firewalls” at http://msdn.microsoft.com/en-us/library/ms731948.aspx to determine the best configuration for your scenario.
This is the first of it's kind Pan India group.The group will organize regular boot camps , on-line solution challenge contests, pod casts , sharing of white papers and articles amongst members.
You can also join the group on linkedin>groups>solutionscommunity
Presentations of First Boot Camp Organized can be found at links below:
Monday, December 15, 2008
- If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.
- If the user must enter a password, protect the password by specifying either
to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.